DOI QR코드

DOI QR Code

A Study of Security Checks for Android Least Privilege - focusing on mobile financial services -

모바일 앱 최소권한 사전검증에 관한 연구 - 금융, 안드로이드 운영체제 중심으로 -

  • Cho, Byung-chul (CIST(Center for Information Security Technologies), Korea University) ;
  • Choi, Jin-young (CIST(Center for Information Security Technologies), Korea University)
  • Received : 2015.11.07
  • Accepted : 2015.12.03
  • Published : 2016.02.29

Abstract

A security system in Android OS adopts sandbox and an permission model. In particular, the permission model operates the confirmation of installation time and all-or-nothing policy. Accordingly, the Android OS requires a user agreement for permission when installing an application, however there is very low level of user awareness for the permission. In this paper, the current status of permission requirement within mobile apps will be discovered, and the key inspection list with an appropriate method, when a mobile service provider autonomously inspects the violation of least privilege around financial companies, and its usefulness will be explored.

안드로이드 운영체제의 보안체계는 샌드박스와 권한모델을 적용하고 있다. 특히 권한모델은 설치시점 확인과 all-or-nothing 정책을 운영하고 있기 때문에 안드로이드는 앱을 설치할 때 필요한 권한에 대해 사용자 동의를 요구하고 있다. 하지만 안드로이드 권한에 대한 사용자의 인식은 부족한 상황이다. 따라서 본 논문에서는 실제 모바일 앱을 대상으로 권한요구 실태를 조사하고 금융회사를 중심으로 모바일 서비스 제공자가 모바일 앱의 최소권한 정책에 위배되는 사항을 자체점검하고자 할 때 활용가능한 중점 점검항목과 방법을 제시하고 그 유용성에 대해 알아보고자 한다.

Keywords

References

  1. IDC, "Smartphone OS Market Share, 2015 Q2", "http://www.idc.com/prodserv/smartphone-os-market-share.jsp," 2015.
  2. Q1 2014 MobileThreatReport, "http://www.f-secure.com/weblog/archives/00002699.html," 2014
  3. KISA, "Analysis of Android Mobile Platform Security Model", Aug. 2010.
  4. Adrienne Porter Felt, Elizabeth Hay, Serge Egelman, Ariel Haney, Erika Chin, and David Wagner. "Android permissions: User attention, comprehension, and behavior," In Proceedings of Symposium on Usable Privacy and Security, 2012.
  5. Korea Communication Commission, "Guidelines for privacy protection on smart phone application," Aug. 2015.
  6. Financial Supervisory Service, "Required implementation of privacy information leak prevention for smartphone app," Aug. 2015.
  7. Google Android Developers Official Site, "http://developer.android.com/reference/android/Manifest.permission.html," 2015.
  8. Android Full Source Android Manifest File, "https://android.googlesource.com/platform/frameworks/base/+/.../core/res/AndroidManifest.xml," 2015.
  9. Android-defined Permission Category, "http://developer.android.com/reference/android/Manifest.permission_group.html," 2015
  10. A tool for reverse engineering Android apk files, "http://ibotpeaches.github.io/Apktool"
  11. Reverse engineering, Malware and goodware analysis of Android applications, "https://code.google.com/p/androguard/wiki/RE#Permissions"
  12. Android Asset Packaging Tool, "http://elinux.org/Android_aapt"
  13. Tools to work with android .dex and java .class files, "http://sourceforge.net/projects/dex2jar"
  14. Jad Decompiler, "http://www.javadecompilers.com/jad"
  15. K. W. Y. Au, Y. F. Zhou, Z. Huang, and D. Lie, "Pscout: analyzing the android permission specification," In Proceedings of the 2012 ACM conference on Computer and communications security, pp 217-228. Oct. 2012.
  16. A. P. Felt, K. Greenwood, and D. Wagner. "The effectiveness of application permissions," in Proceedings ofthe USENIX Conference on Web Application Development, 2011.
  17. A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. "Android permissions demystified," In Proceedings of the18th ACM conference on Computer andcommunications security, pages 627-638. ACM, 2011.
  18. W. Enck, M. Ongtang, and P. McDaniel. "On lightweight mobile phone application certification," in Proceedings of the 16th ACM conference on Computer and communications security, 2009.
  19. T. Vidas, N. Christin, and L. Cranor. "Curbing androidpermission creep," In Proceedings of the Web, volume 2, 2011.
  20. Xuetao Wei, Lorenzo Gomez, Lulian Neamtiu, Michalis Faloutsos, "Permission Evolution in the Android Ecosystem," Dec, 2012.